CVE-2026-55069 — HIGH (8.7)

Vulnerability Description

Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in the BasicAuth authentication component of the Kestra OSS workflow orchestration platform. An attacker who gains read access to the PostgreSQL database can exploit SHA-512's high computation speed to recover the administrator password offline. In Kubernetes deployments, a successful crack further enables reading of the cluster ServiceAccount Token and all K8s Secrets, achieving vertical privilege escalation. This vulnerability is fixed in 1.3.24.

CVSS Score

8.7

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Related Weaknesses (CWE)

CWE-916

References

https://github.com/kestra-io/kestra/security/advisories/GHSA-m727-pcjm-j28h

FAQ

What is CVE-2026-55069?

CVE-2026-55069 is a vulnerability with a CVSS score of 8.7 (HIGH). Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in the BasicAuth authentication component of the Kestra OSS workflow orchestration platform. A...

How severe is CVE-2026-55069?

CVE-2026-55069 has been rated HIGH with a CVSS base score of 8.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-55069?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.